Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Lavabit Case May Be One of Many in Coming Years

SAN FRANCISCO–The Lavabit case, which saw the secure email provider’s owner shut the company down after being forced to hand over to the government the encryption key that protected his users’ data, may seem like an extreme reaction to a unique situation. But, experts say it’s likely that there will be similar situations in the near future, and technology providers an users should change the way they think about what the threats to their data may be.

The FBI went to Lavabit’s founder, Ladar Levison, last year in the wake of the NSA revelations and demanded access to the encrypted emails of one of its users, Edward Snowden. After a lot of back and forth and legal wrangling, Levison eventually turned over the encryption key that protected the communications of all of his users, and then promptly closed the business. Marcia Hoffman, one of Levison’s lawyers, said that she believes there will soon be other cases like Lavabit.

“I don’t believe that Lavabit is a unicorn,” she said in a talk at the TrustyCon conference here Thursday. “We need to update our threat models. Ladar was worried about data at rest, not data in transmission. The threats are different than we thought. Security and privacy enhancing services are really in the crosshairs. To the extent that you design a service like Lavabit, you should be thinking about how you’re going to deal with government requests.”

Those threats now include not just attackers and cybercriminals, but governments and their lawyers. Hoffman said that the way the government is interpreting surveillance and wiretapping laws now has put technology companies in a difficult position. CALEA, the statute that requires telecom companies and others to help law enforcement agencies with lawful intercept and wiretapping operations specifically didn’t apply to information technology companies, she said.

“The government has taken the position that a service provider has to provide any information that the government wants,” she said. “If you don’t like turning over your keys, you can just backdoor your system. Putting this kind of pressure on Internet companies really flies in the face of what Congress decided.”

The Lavabit case is still wending its way through the court system, as Levison is appealing a contempt of court order against him. Hoffman said that the broader issues related to the case–the use of encryption and the government’s efforts to get at encrypted data–will only become more important in the months and years ahead. And she also warned users not to become too enamored of new, supposedly surveillance-resistant communications services that are springing up.

“If you don’t have a reasonable expectation of privacy in encrypted data, where do you have that expectation?” she said. “We need to stop making promises to users that we don’t know if we can keep, like NSA-proof email. I would be very skeptical of claims like that. I don’t know if anybody can actually make a promise like that.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.